How can you be sure when they didn't post anything about the energy density? (Maybe there is some info in the original article, but I don't have access to the journal.
If this exercise had been done with criminal intent it would be breaking the law.
I am so glad to know that if you hack into computers, but do it with good intentions, that it is not illegal. That's wonderful for all the white hats who have been accused of breaking-in for merely notifying people of vulnerabilities, or those who have written proof-of-concepts to kick-start lazy corporations into implementing real security measures. Fortunately, they will now all be released from jail and their reputations returned to them.
Or am I misunderstanding? Is it okay to do so long as you work for the BBC?
Unix systems (including Linux) have been one of the primary targets for viruses and trojans for years. This is because they run so many servers, and tend to run on big iron, in big companies, those machines are very tasty targets. Oh, and because a virus can target many platforms since Unix systems are very similar.
The reality is that Linux is not target by the bzillions of dumbass trojans that assume the user is running as an administrator and will install anything so long as it has a dancing hamster or something. Most Unix systems are virtually immune to those types of things. Vista is now too (mostly) so really, their days are numbered.
Market share only really affects trojans, which are not as much of a problem for Linux. So I say: bring it on.
Well, the UI is terrible for two reasons. One, programmatically it is impossible to know the intention of the triggering application.
That is a common misconceptiopn. The OS actually knows quite a lot.
Writes to HKCR are either shell extensions, COM components, or new extensions registered to an app. The UAC could say things like "updating.doc files to point to Microsoft Word" or even "Updating 'Open' for.doc files to point to Microsoft Word v9.0 in C:\..\Word.exe" Not that they need to, but they get a lot of detail. Updating startup components is obvious too. That covers the most common cases. File system too: "Adding items to start menu" or "updating system files" is clear.
The screen freeze thing doesn't bother me, except for the delay.
You can tell it to ask for your password, instead.
Oh good.
Pop-quiz:...
More annoying. I didn't mean it should be default, I just wanted to make sure it was available. Although remember: In Microsoft's mind, it is SUPPOSED to be annoying.:-)
So your program can get a UAC approval for writing an.ini file in Program Files, then within the time limit it'd be fine to add a virus to run on startup? Your first two items argue for a more secure UAC, this one argues for a LESS secure UAC-- which is it?
There's lots of ways to deal with that, not sure which one is best. But the most common scenario is when someone modifies a start menu entry. It should just execute an explorer.exe with escalated privileges. After Microsoft deals with the common scenarios, then I'll give them some slack on dealing with these tougher ones.
How do you believe Microsoft could do this? I mean, I agree with you 100%, but how?
Well, one way would be to enforce the Microsoft logo requirements. Officially, they said that all apps must run as limited users to qualify. By they put other garbage in the requirements, and then never enforced it, so it is useless. Today, it probably wouldn't even matter to anyone.
There's lots of other ways. Putting out a tool to verify that things run as limited user. Educating developers. Warning them in Visual Studio. Listing their apps as incompatible with various OS releases. Sending them notices. Promoting apps that were compliant. etc. There's a billion ways. Some of these suggestions might suck, I dunno. Point is, they could have done it.
They already do that in a LOT of places.
Oh good! I didn't know that. Then I'll stop thinking about an app to do that. I know they have a thing to redirect INI files to the registry, that was added in NT or 2000 or so.
You just picked at my wording instead of the actual issues.
(2) It does tell you what. The "why" could be useful, but it's highly likely this information could not be presented in a user-friendly manner.
"what" or "why" - the point is it needs to be meaningful. And many times, it really does know why. Possible things would be: "Adding items to system startup" or "Registering new system component (COM)" or "Modifying file extension associations" - The registry is a hierarchy, and the UAC can know what the registry entries mean. How about "updating system file" for file system stuff.
Double prompts
Not fixed on my mom's computer.
Modifying your Start Menu items does not prompt. Modifying the system-wide one, obviously, does.
That's still wrong. First, the user doesn't, and should not have to, understand the difference. They drag something in their start menu, it should change. If it was a system-wide setting, then it should now be a local setting. On OS X, I've never had to understand that there was a difference at all.
Since its basically a copy of what every other OS does
Under the hood, yes, it is what other OSs do. The problem is that the UI was terrible. Your second point hits the nail on the head.
Microsoft could have easily fixed this in a service pack to Vista.
In practice, I can run Windows XP as a limited user, and modify the short cuts on the start menu so that they prompt me to run as admin, and I can get Windows Vista without all the pain. I wanna change 10 things on the start menu? I just click "edit start menu" and type in the admin password. Sure beats 20 prompts to move 10 shortcuts.
Vista's way isn't correct at all. BSD, Linux, did it right. Windows 2000/XP were almost right.
Here's the things that Vista does wrong with security:
1) Doesn't prompt for admin password. Instead, it just prompts Cancel / Allow. 2) Doesn't tell you what or why it is prompting. 3) Double prompts. (And worse) * They needed to prompt for the duration of the app (or a time limit), not for each individual operation. 4) Prompts at places where security is not relevant, such as - Modifying the start menu. Other OS's just modify your local one. - Read-only access to system level items. Going to the various control panels should not require admin access.
What Microsoft should have done on Windows Vista:
- Modify XP so that the various built-in apps prompt for admin password when they actually need it. (Ex: Committing changes in control panel) - Default users to limited users - Chastise developers who do not write code to work as limited users. (They needed to do this back in 1993 with Windows NT - CERTAINLY by 2000 this should have been eliminated.) - Make workarounds for specific applications that wrote things to the wrong place. Ex: Directing HKLM registry entries to HKCU. - Make prompts for applications where the above workaround doesn't apply. That might be based on a white list of those few apps that are important enough to not break, but where the above workarounds were not sufficient, and where the manufacturer was unable to issue a patch in time.
Despite the workarounds I listed, my solution would have no really been any more work, since they already do heavy application testing and have tons of hacks and workarounds for compatibility. (Microsoft does a good job of this, overall). If they wanted to make a check box somewhere "don't prompt for admin password, just display cancel/allow" then that would be fine. But the point is, prompting twice at every stupid registry change or file I/O operation is too granular. Some times moving a file in the start menu displays multiple prompts instead of just a single one.
We need penalties for representatives who pass unconstitutional laws. It should probably be a criminal act. Does it make sense that the highest law of our land can be violated with no penalties? And by those who swear an oath to uphold it?
The government didn't force anyone to make bad loans. If you are a loan officer and you made a bad loan, it isn't because the government held a gun to your back.
It is amazing how on one hand you hear "The government made the banks do it through regulation" and on the other you hear "Deregulation of banks made them do stupid things!" Which is it? Did the government tell them to make the loans? Or did the government fail to tell them not to make the loans?
Neither: The banks made loans based on their own flawed risk calculations and poor valuation of future property values. Capitalism is based on the power of greed, but it assumes that the greedy ones are also smart. In this case, they weren't.
The bureaucrats and managers almost always make the major strategic technical decisions.
Which piece of software to use is not a strategic decision. And if they did make such a decision, they should do so based on the recommendations of their technical people. The issue here is that they are making the decisions based on politics, not technology.
We have seen this time and time again on Slashdot, government should not try to legislate technology. (And we shouldn't let them try, just because we think they will do what we want.)
hat do you do a decade from now when a 16bit string is laughably small
That problem pales in comparison to problem that null terminated strings caused: The developer allocates a fixed length line 20 characters, then finds it is too short.
The appeals court decided Brodie was not entitled to learn the identities of the posters because in his complaint he misidentified the forum participants responsible for the critical comments.
How did he misidentify them? Did he guess as to who they were, and guess wrong?
The PDF file itself states:
The Court reviewed the record and determined that Brodie had not identified the appropriate forum participants in his complaint. Because Brodie failed to assert his defamation action against the correct individuals, the Court reversed the trial judgeâ(TM)s order compelling the discovery of the forum participantsâ(TM) identities.
How is it relevant that he misidentified them initially? Or is it simply that identifying someone by a user name is considered misidentification?
I would not want there to be a loophole in this ruling that would make it not apply in other cases.
Why are they so concerned about protecting the video streaming, when they mail out DVDs that everybody knows how to rip? If I wanted to pirate stuff using Netflix, this new DRM would do nothing to stop me.
GAH! My other post was meant to be in reply to someone else. Doh!
finding OSS solutions which can replace expensive proprietary software is pretty high on the list.
I 100% agree! You seem to think I am arguing against open source. I'm not: I'm arguing against forcing technical decisions through legislation.
Part of the problem is because if you open up that can of worms, odds are that open source guy loses. Politicians will legislate solutions based on who can fly them to Aruba for "technology training" and who can line their pockets.
If you want open source, then use it. And convince your boss. Not your president's president.
Already today there have been twoother stories today about people wanting government or adminsitrators to override technical decisions about what software to use. Seems like I get modded troll every time, but I'll keep saying it. Let the techies choose technology, not the bureaucrats. It's like people want the government out of their way, unless the government is doing what they want. I'd love to see open source everywhere, but I'm not calling someone 500 people up the decision-making chain and telling them to make the decision. I'll advocate open source by writing it, using it, and recommending it to my boss. That's where it should stay. Keep the geeks out of politics.
Why decide on what software to use based solely on a single criterion? Of course open source should be used in schools. And closed source should also be used in schools. And big programs, and little ones. And green ones and red ones.
Use open source where it is appropriate. If the school wants to use Microsoft Office because that is a great program and it is available on Mac and Windows, and that is good enough: fine! It's not a security issue, so who cares? On the other hand, if Office is too expensive, then use OpenOffice. Great!
If this is a computers course, they should use Windows. And Mac. And Linux. Because those are things relevant to the course. Use Linux not because it is OSS, but because it is relevant for students to learn on. Or for the price.
Unless the focus is security, or it is a programming course, the state of the source code should not be the main deciding factor.
This is like the EU deciding what oil individuals should use in all their cars.
The decision to use open source is not a governmental decision. If a government says to me "build a bridge from point A to point B," then I decide what piece of software is best for calculating the mass of the bridge. I can use an open source product, or a closed source product. But it would be absurd for my decision to be affected by what some guy in another country, who has no idea what software is, to make that decision for me.
Heh, the "somebody" was me:) And you assume correctly about C++. Since I code in C++ not C, I took it for granted that const int worked in C since it works in C++. ugh.
The FTC argued in court papers filed in Washington that Rambus âoewaited to assert its patent interests until the new standards had been widely implemented.â The agency said Rambus then âoedemanded stiff royalties from makers of the great majority of computer memory chips.â
I thought this case was about Rambus filing patents for ideas that were brought up during the committee planning of the memory standard. That would mean that their patents are invalid, and that they essentially stole them. But that doesn't seem like what the FTC based their case on. The article makes it look like all Rambus did was wait to assert their patents, which is jerkass but perfectly legal.
surely?
How can you be sure when they didn't post anything about the energy density? (Maybe there is some info in the original article, but I don't have access to the journal.
If this exercise had been done with criminal intent it would be breaking the law.
I am so glad to know that if you hack into computers, but do it with good intentions, that it is not illegal. That's wonderful for all the white hats who have been accused of breaking-in for merely notifying people of vulnerabilities, or those who have written proof-of-concepts to kick-start lazy corporations into implementing real security measures. Fortunately, they will now all be released from jail and their reputations returned to them.
Or am I misunderstanding? Is it okay to do so long as you work for the BBC?
Unix systems (including Linux) have been one of the primary targets for viruses and trojans for years. This is because they run so many servers, and tend to run on big iron, in big companies, those machines are very tasty targets. Oh, and because a virus can target many platforms since Unix systems are very similar.
The reality is that Linux is not target by the bzillions of dumbass trojans that assume the user is running as an administrator and will install anything so long as it has a dancing hamster or something. Most Unix systems are virtually immune to those types of things. Vista is now too (mostly) so really, their days are numbered.
Market share only really affects trojans, which are not as much of a problem for Linux. So I say: bring it on.
Snopes says that didn't really happen. But they say Alabama. I suspect it is the same urban legend over and over again.
Well, the UI is terrible for two reasons. One, programmatically it is impossible to know the intention of the triggering application.
That is a common misconceptiopn. The OS actually knows quite a lot.
Writes to HKCR are either shell extensions, COM components, or new extensions registered to an app. The UAC could say things like "updating .doc files to point to Microsoft Word" or even "Updating 'Open' for .doc files to point to Microsoft Word v9.0 in C:\..\Word.exe" Not that they need to, but they get a lot of detail. Updating startup components is obvious too. That covers the most common cases. File system too: "Adding items to start menu" or "updating system files" is clear.
The screen freeze thing doesn't bother me, except for the delay.
You can tell it to ask for your password, instead.
Oh good.
Pop-quiz: ...
More annoying. I didn't mean it should be default, I just wanted to make sure it was available. Although remember: In Microsoft's mind, it is SUPPOSED to be annoying. :-)
So your program can get a UAC approval for writing an .ini file in Program Files, then within the time limit it'd be fine to add a virus to run on startup? Your first two items argue for a more secure UAC, this one argues for a LESS secure UAC-- which is it?
There's lots of ways to deal with that, not sure which one is best. But the most common scenario is when someone modifies a start menu entry. It should just execute an explorer.exe with escalated privileges. After Microsoft deals with the common scenarios, then I'll give them some slack on dealing with these tougher ones.
How do you believe Microsoft could do this? I mean, I agree with you 100%, but how?
Well, one way would be to enforce the Microsoft logo requirements. Officially, they said that all apps must run as limited users to qualify. By they put other garbage in the requirements, and then never enforced it, so it is useless. Today, it probably wouldn't even matter to anyone.
There's lots of other ways. Putting out a tool to verify that things run as limited user. Educating developers. Warning them in Visual Studio. Listing their apps as incompatible with various OS releases. Sending them notices. Promoting apps that were compliant. etc. There's a billion ways. Some of these suggestions might suck, I dunno. Point is, they could have done it.
They already do that in a LOT of places.
Oh good! I didn't know that. Then I'll stop thinking about an app to do that. I know they have a thing to redirect INI files to the registry, that was added in NT or 2000 or so.
You just picked at my wording instead of the actual issues.
(2) It does tell you what. The "why" could be useful, but it's highly likely this information could not be presented in a user-friendly manner.
"what" or "why" - the point is it needs to be meaningful. And many times, it really does know why. Possible things would be: "Adding items to system startup" or "Registering new system component (COM)" or "Modifying file extension associations" - The registry is a hierarchy, and the UAC can know what the registry entries mean. How about "updating system file" for file system stuff.
Double prompts
Not fixed on my mom's computer.
Modifying your Start Menu items does not prompt. Modifying the system-wide one, obviously, does.
That's still wrong.
First, the user doesn't, and should not have to, understand the difference. They drag something in their start menu, it should change. If it was a system-wide setting, then it should now be a local setting. On OS X, I've never had to understand that there was a difference at all.
Er, you don't...
Depends on which ones.
Since its basically a copy of what every other OS does
Under the hood, yes, it is what other OSs do. The problem is that the UI was terrible. Your second point hits the nail on the head.
Microsoft could have easily fixed this in a service pack to Vista.
In practice, I can run Windows XP as a limited user, and modify the short cuts on the start menu so that they prompt me to run as admin, and I can get Windows Vista without all the pain. I wanna change 10 things on the start menu? I just click "edit start menu" and type in the admin password. Sure beats 20 prompts to move 10 shortcuts.
Vista's way isn't correct at all. BSD, Linux, did it right. Windows 2000/XP were almost right.
Here's the things that Vista does wrong with security:
1) Doesn't prompt for admin password. Instead, it just prompts Cancel / Allow.
2) Doesn't tell you what or why it is prompting.
3) Double prompts. (And worse)
* They needed to prompt for the duration of the app (or a time limit), not for each individual operation.
4) Prompts at places where security is not relevant, such as
- Modifying the start menu. Other OS's just modify your local one.
- Read-only access to system level items. Going to the various control panels should not require admin access.
What Microsoft should have done on Windows Vista:
- Modify XP so that the various built-in apps prompt for admin password when they actually need it. (Ex: Committing changes in control panel)
- Default users to limited users
- Chastise developers who do not write code to work as limited users. (They needed to do this back in 1993 with Windows NT - CERTAINLY by 2000 this should have been eliminated.)
- Make workarounds for specific applications that wrote things to the wrong place. Ex: Directing HKLM registry entries to HKCU.
- Make prompts for applications where the above workaround doesn't apply. That might be based on a white list of those few apps that are important enough to not break, but where the above workarounds were not sufficient, and where the manufacturer was unable to issue a patch in time.
Despite the workarounds I listed, my solution would have no really been any more work, since they already do heavy application testing and have tons of hacks and workarounds for compatibility. (Microsoft does a good job of this, overall). If they wanted to make a check box somewhere "don't prompt for admin password, just display cancel/allow" then that would be fine. But the point is, prompting twice at every stupid registry change or file I/O operation is too granular. Some times moving a file in the start menu displays multiple prompts instead of just a single one.
It's ironic that there is a GPL'd FAT implementation, when the GPL forbids licensing patents.
We need penalties for representatives who pass unconstitutional laws. It should probably be a criminal act. Does it make sense that the highest law of our land can be violated with no penalties? And by those who swear an oath to uphold it?
The government didn't force anyone to make bad loans. If you are a loan officer and you made a bad loan, it isn't because the government held a gun to your back.
It is amazing how on one hand you hear "The government made the banks do it through regulation" and on the other you hear "Deregulation of banks made them do stupid things!" Which is it? Did the government tell them to make the loans? Or did the government fail to tell them not to make the loans?
Neither: The banks made loans based on their own flawed risk calculations and poor valuation of future property values. Capitalism is based on the power of greed, but it assumes that the greedy ones are also smart. In this case, they weren't.
The bureaucrats and managers almost always make the major strategic technical decisions.
Which piece of software to use is not a strategic decision. And if they did make such a decision, they should do so based on the recommendations of their technical people. The issue here is that they are making the decisions based on politics, not technology.
We have seen this time and time again on Slashdot, government should not try to legislate technology. (And we shouldn't let them try, just because we think they will do what we want.)
hat do you do a decade from now when a 16bit string is laughably small
That problem pales in comparison to problem that null terminated strings caused: The developer allocates a fixed length line 20 characters, then finds it is too short.
The appeals court decided Brodie was not entitled to learn the identities of the posters because in his complaint he misidentified the forum participants responsible for the critical comments.
How did he misidentify them? Did he guess as to who they were, and guess wrong?
The PDF file itself states:
The Court reviewed the record and determined that Brodie had not identified the appropriate forum participants in his complaint. Because Brodie failed to assert his defamation action against the correct individuals, the Court reversed the trial judgeâ(TM)s order compelling the discovery of the forum participantsâ(TM) identities.
How is it relevant that he misidentified them initially? Or is it simply that identifying someone by a user name is considered misidentification?
I would not want there to be a loophole in this ruling that would make it not apply in other cases.
Why are they so concerned about protecting the video streaming, when they mail out DVDs that everybody knows how to rip? If I wanted to pirate stuff using Netflix, this new DRM would do nothing to stop me.
Thank you. Mandating open standards makes perfect sense. Along with mandating that government research be made open.
GAH! My other post was meant to be in reply to someone else. Doh!
finding OSS solutions which can replace expensive proprietary software is pretty high on the list.
I 100% agree! You seem to think I am arguing against open source. I'm not: I'm arguing against forcing technical decisions through legislation.
Part of the problem is because if you open up that can of worms, odds are that open source guy loses. Politicians will legislate solutions based on who can fly them to Aruba for "technology training" and who can line their pockets.
If you want open source, then use it. And convince your boss. Not your president's president.
Closed source software does not pollute the environment. That analogy is totally irrelevant on anyplace other than slashdot.
Already today there have been two other stories today about people wanting government or adminsitrators to override technical decisions about what software to use. Seems like I get modded troll every time, but I'll keep saying it. Let the techies choose technology, not the bureaucrats. It's like people want the government out of their way, unless the government is doing what they want. I'd love to see open source everywhere, but I'm not calling someone 500 people up the decision-making chain and telling them to make the decision. I'll advocate open source by writing it, using it, and recommending it to my boss. That's where it should stay. Keep the geeks out of politics.
Why decide on what software to use based solely on a single criterion? Of course open source should be used in schools. And closed source should also be used in schools. And big programs, and little ones. And green ones and red ones.
Use open source where it is appropriate. If the school wants to use Microsoft Office because that is a great program and it is available on Mac and Windows, and that is good enough: fine! It's not a security issue, so who cares? On the other hand, if Office is too expensive, then use OpenOffice. Great!
If this is a computers course, they should use Windows. And Mac. And Linux. Because those are things relevant to the course. Use Linux not because it is OSS, but because it is relevant for students to learn on. Or for the price.
Unless the focus is security, or it is a programming course, the state of the source code should not be the main deciding factor.
This is like the EU deciding what oil individuals should use in all their cars.
The decision to use open source is not a governmental decision. If a government says to me "build a bridge from point A to point B," then I decide what piece of software is best for calculating the mass of the bridge. I can use an open source product, or a closed source product. But it would be absurd for my decision to be affected by what some guy in another country, who has no idea what software is, to make that decision for me.
Heh, the "somebody" was me :) And you assume correctly about C++. Since I code in C++ not C, I took it for granted that const int worked in C since it works in C++. ugh.
Thanks for the detailed replies.
The FTC argued in court papers filed in Washington that Rambus âoewaited to assert its patent interests until the new standards had been widely implemented.â The agency said Rambus then âoedemanded stiff royalties from makers of the great majority of computer memory chips.â
I thought this case was about Rambus filing patents for ideas that were brought up during the committee planning of the memory standard. That would mean that their patents are invalid, and that they essentially stole them. But that doesn't seem like what the FTC based their case on. The article makes it look like all Rambus did was wait to assert their patents, which is jerkass but perfectly legal.
Am I confusing this with another case?
Thanks, wow... so, doesn't that mean they broke functionality that worked in previous revisions of C?